#11037 closed (duplicate)
Support HTTPOnly cookie for HttpResponse.set_cookie
Reported by: | Henrik Vendelbo | Owned by: | nobody |
---|---|---|---|
Component: | HTTP handling | Version: | master |
Severity: | Keywords: | ||
Cc: | Triage Stage: | Design decision needed | |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | UI/UX: |
Description
Most browsers has some support for HTTPOnly cookies. It provides some protection against XSS attacks.
http://www.owasp.org/index.php/HTTPOnly
I've added another optional parameter to the set_cookie method. I also figured that it should be possible to make the sessionid use the flag.
Attachments (1)
Change History (4)
comment:1 Changed 9 years ago by
Has patch: | unset |
---|---|
milestone: | 1.1 |
Triage Stage: | Unreviewed → Design decision needed |
comment:2 Changed 9 years ago by
Resolution: | → duplicate |
---|---|
Status: | new → closed |
Duplicate of #3304. Please search the existing ticket list before submitting new tickets.
Changed 9 years ago by
Attachment: | 11037.diff added |
---|
comment:3 Changed 9 years ago by
I did search for httponly and set_cookie, didn't find anything
Anyway, I added a couple of doctests for HttpResponse that might be useful
It's too late for new features in 1.1.